A typical FTP session, will send login information unencrypted. It is a fairly simple matter to configure vsftpd to use SSL/TLS and encrypt connections. You can either create a self-signed certificate for this purpose, or use an existing third-party issued certificate.

Generate a self-signed certificate

Firstly, we generate the private key (in this case, 2048 bits):

openssl genrsa -out /etc/pki/tls/private/www.domain.com.key 2048

Make a directory for the CSRs:

mkdir /etc/pki/tls/csrs

Next, we use the private key to generate a certificate signing request (CSR):

This will point vsftpd to your certificate and private key, set the protocol to TLS, and allow non-encrypted logins if the client does not support (or opts not to use) encrypted logins.

Setting up FileZilla to use FTP over SSL/TLS

FTPS, that is FTP over SSL/TLS (not the same as SFTP), can be configured either implicitly (FTPS) or explicitly (FTPES). For both, you must prepend the protocol to the hostname. The explicit version connects switches to an encrypted mode only once the correct command (AUTH TLS) is issued, while the implicit mode uses an encrypted connection from the start. Implicit SSL often uses a port other than 21 (990).

To use explicit FTP, you would provide the hostname as follows: FTPES://domain.com

On the first connection, FileZilla will inform you that the certificate is unknown, and ask if you wish to trust the certificate and proceed. You can set FileZilla to remember that you have trusted the certificate in future.

One final note, an SSL certificate is issued for a specific ‘common name’ (i.e. fully qualified domain name) however, in terms of its ability to encrypt data, it will work on any domain (as long as the matching private key is provided). On a server hosting multiple domains, it may be permissible to use a single certificate to encrypt traffic for all domains over FTP – at very least, it does work. (FileZilla will show that the certificate was issued for a specific domain, but it does not appear to raise any additional warnings if the domains do not match, and certainly allows the connection if you decide to trust the certificate).